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Abstract. In this paper we study one-round key-agreement protocols analogous to Merkle's puzzles 
in the random oracle model. The players Alice and Bob are allowed to query a random permutation 
oracle n times and upon their queries and communication, they both output the same key with high 
probability. We prove that Eve can always break such a protocol by querying the oracle 0{n^) times. 
The long-time unproven optimality of the quadratic bound in the fully general, multi-round scenario 
has been shown recently by Barak and Mahmoody-Ghidary. The results in this paper have been found 
independently of their work. 

1 Introduction 

In this paper, we find a tight upper bound on the number of queries needed to break a key- 
agreement protocol in the random oracle model. Key-agreement protocols called Merkle's puzzles 
were constructed by Ralph Merkle in 1974 but only published in 1978 [I]. They are one of the 
earliest examples of public- key cryptographic protocols. 

The key-agreement ala Merkle between Alice and Bob proceeds as follows: Alice constructs a 
large number of puzzles, each of them being possible to solve with Bob's computational resources. 
In other words, all of them are in the form of an encrypted message with an unknown key that 
is short enough to allow for a brute force attack. After receiving the message from Alice, Bob 
chooses one puzzle uniformly at random and solves it. The solution contains an identifier and a 
key. Bob encrypts the identifier with the key, and announces it back to Alice. The solution of 
the puzzle solved by Bob becomes Alice's and Bob's secret key. Since the puzzle's identifier is 
sent to Alice as a message encrypted with a key that is unknown to Eve, the eavesdropper's best 
strategy to attack such a protocol is to solve as many puzzles as possible. To achieve constant 
probability of success. Eve has to solve a constant fraction of them, which might require much 
more computational power than what is needed by the legitimate players. 

In a similar way we construct a key-agreement protocol in the random oracle scenario, where 
the computational difficulty of a key-agreement protocol is expressed by the number of oracle 
queries that Alice and Bob make in order to agree on a secret key. Instead of creating many 
puzzles, Alice queries the oracle in many positions that are unknown to both Bob and Eve, and 
sends the images of the queried elements to Bob. Bob queries the oracle in sufficiently many 
positions to get a collision with Alice's set of queries with high probability. He recognizes the 
collision from Alice's message and reports it back to Alice by its identifier - the oracle image. The 
pre-image becomes Alice's and Bob's secret key. In addition to only few queries, the communication 
gives Eve a little information about the key, since the oracle is random. With the same number 
of queries as Bob, she would find a collision with Alice's set of queries with high probability, but 
not necessarily the one found by Bob. Hence, finding the right element might require significantly 
more oracle queries than Alice and Bob needed to agree on the key. 

Until recently, the best upper bound on Eve's number of queries needed to break such protocols 
have been shown by Impagliazzo and Rudich [2]. They prove that in any key-agreement protocol 



based on a random-permutation oracle, where Alice and Bob agree on the secret key in n rounds 
in such a way that they query only one query per round (normal form of a protocol), Eve needs at 
most O(n^) oracle queries to output a secret key guess that matches with Bob's secret key with 
the same probability as Alice's key does. For a protocol in the general form, O(n^) are sufficient 
for an attack, which can be proven by showing that any protocol can be transformed into its 
normal form with at most quadratic blow-up in the number of oracle queries made by the players. 
In [2] , the question is studied in the larger context to show that possibility of secure key-agreement 
relative to some random permutation oracle implies P 7^ NP. In other words, proofs for showing 
that existence of one-way functions implies existence of secure key-agreement do not relativize. 

The bound from [2] has been improved recently by Barak and Mahmoody-Ghidary [3] who 
show that in fact, 0{n?) are sufficient for Eve's attack. 

In our paper we deal with one-round key-agreement protocols where Alice and Bob query the 
oracle a and b times, respectively. Such protocols form a subset of protocols whose normal form 
consists of a + & rounds. We prove the tight - 0((a + 6)^) upper bound on the number of queries 
Eve needs to break the protocol. 

Throughout the paper, we use the following notation: XA denotes the characteristic function 
of set A, E(X) denotes the mean value of random variable X, and M'^{X) denotes the mean value 
of X, conditioned on information c. 

2 One-Round Key- Agreement Protocols 

In this section, we model one round key-agreement protocols between Alice and Bob. We as- 
sume that Alice, Bob, and an eavesdropper Eve have access to an oracle computing a random 
permutation / on {1, . . . ,n}. We define a one-round key-agreement protocol as follows: 

Protocol 1 

Given n G N and an oracle computing a random permutation / on {1, . . . , n}, 

1. Alice queries the oracle / in positions ^1 G {1, . . . , n}-'*, computes a message ca and sends it 
to Bob. 

2. Bob, given ca, queries the oracle / in positions i3 G {1, . . . ,n}-*, computes message cb and 
sends it to Alice. Bob generates the secret key G {0, 1}^, = gsi^, f{B),c = {ca, cb),Rb), 
where Rb denotes his local randomness. 

3. Alice, given c, queries the oracle in positions A2 ^ {1, . . . ,n} such that for ^ := ^1 U A2, 
\A\ < a, and generates the secret key kA G {0, 1}^, kA = gA{A, f{A),c, Ra), where Ra denotes 
her local randomness. 

We denote by (a, h, e)-key-agreement any one-round key-agreement protocol defined as above 
and satisfying the following condition: Pr [kA 7^ A;^] < e where e < 1 is a constant. 

Notice that a and h are functions of n, but for simplicity we refer to them by a and h, instead 
of using a{n) and if the latter one is not explicitly needed. Since key-agreement protocols 

take place between players Alice and Bob sharing no initial secret, the key generation mechanism 
must involve only common queries to the oracle /. We say that Eve breaks the protocol if she 
outputs a string that agrees with Bob's key with the same probability as Alice does. 

Lemma 2.1. In order to break an (a, 6, e) -key- agreement protocol it is sufficient for Eve to query 
all intersection queries of Alice and Boh used for the generation of Alice's secret key. 



Proof. Eve querying all elements m. AiC\B can construct a permutation /' matching with / on 
£ (Eve's queries), and a set A!i of queries to the oracle computing /' such that ca = ca'^ and 
/' is consistent with cb- Therefore, after querying Bob has exactly the same view about 
as he has about M^- Eve constructs the set according to Ji^ and c, and then "queries" the 
/'-oracle on the positions in Finally, she generates her secret key fc^ = 5rA(^', /(^Oj -'^A')) 
where J\! := J^^'^ J^^- From Bob's point of view, both kE and kA are generated from the same set 
/C C ^ n i3, i.e. Pr[A;B = A;^] = Pr [A;^ = fe^] • □ 

3 Proof of the Quadratic Upper Bound 

We will consider the following attack of an (o, 6, £)-key-agreement protocol: 

1. Eve repeats Bob's querying strategy 7a times for some constant 7 (i.e. makes 706 oracle 
queries) in order to query all queries in ^1 n B with constant probability 

2. Eve extracts the position of the ^2-queries from cb and queries the oracle on these positions 
(a oracle queries) 

Next we prove that with the proposed strategy Eve breaks the protocol with constant proba- 
bility. 

Lemma 3.1. By repeating Bob's strategy independently 5a times, Eve finds all elements in Aif^B 
with constant probability. 

Proof. Let A and B denote the random variables associated with Alice querying the elements 
in Ai and Bob querying the elements in B, respectively. Let E denote the random variable 
associated with the set of Eve's queries £. W.l.o.g., assume that for x,y E {1, . . . ,n},x < y, 

Define .4? := Ai, i3° := B, = A, S° := B, sq := E'^^dAi n B\), and no := n. In the i-th 
step, define n^+i, A]^^, B^'^^, A^'^^, B^'^^, Sj+i in order to satisfy the following: 

Vx G {nj+i + l,...,ni}: Pxb{x)\caW > ^> 

A\+^ := Ai \ {ui+i + 1, . . . , n}, B^+^ := B\ {m+i + 1, . . . , n}, let A'+'^, B'+^ denote the corre- 
sponding random variables, and set Sj+i := E'^-^d^^"'""^ n B^~^^\). 
Furthermore, consider u such that 

Pr[^inBC {n„ + l,...,n}|cA] > ^. 



First, we prove that 

1. there exists ii G N with the desired property 

2. nj+i < Hi ioT i E {0, . . . , u — 1} 

3. Si — Sj+i > 1 for z G {0, . . . , u — 1} 

4. s„ > 1 

We can write: 

Si = E^-{\A\nB^\)= ^ Pa^cAA) PAnB^icAl^nBl) (1) 

A,\A\<a B,\B\<b 



hence, there exists at least one .4 C {1, . . . ,n}-" such that J2b |B|<fe-^^nB»lc^(i-^l~' ^\ ^ ^i- 
Let us choose one such A. Then 

B,\B\<b B,\B\<bx€\AnB\ xeAB: x&AnB x€A 

Since |„4| < a, there is an a; € {l,...,ni} such that > ^. If we remove x G 

{1, ... ,77,,} such that > 1^, then Sj+i < f . 

Since in every step we remove at least one x G {!,..., n}, the procedure terminates after 
finitely many steps and therefore, u is well-defined and is at most n. Clearly, for Sj < 1 we have 
Pr[^{+^ n = 0|ca] > I, implying that with probability at least 1/2 we have Ai D B C 
{rii + 1, . . . , n}. Therefore Su> 1 and for i G {0, . . . , u — 1} : 



We finish the proof of the statement by showing that by repeating Bob's strategy 5a times 
independently, Eve queries all elements in Ai H B with probability at least 1/8. 
For X G {nj_|_i + 1, . . . , n,}. Eve does not query x with probability 



Pxe{^)\cA^)<[} 

That means that in the case where 



2a) - 



-Si/2 



|4nB^n{ni+i + l,...,ni}| < 



eW2 



the probability that Eve does not query at least one element in {nj+i, . . . ,ni} f\ A\r\B'^ is 



Pr 



.a:e{ni+i,...,ni}n^inB» 



< 



-Si/2 ^ 



2sf 2sr 



Since the expected number of elements in A\r]B^ Cl {nj+i + 1, . . . ,ni} is Sj, Markov's inequality 
implies that this happens with probability at most ^5-72- Hence, there exists i, < i < u, such 

with probability at most Ya=o '^^^ function 



that 1^1 n n {ni+i + 1, . . . , ni}\ > ^ 
is decreasing for a: > 6, yielding 



w'-l:s„,>6 3 «'-l:s„,>6 3 

E E (..-»«)^< 



1=0 



Then for Su' > 28 we obtain: 



i=0 



u'-l:s„,>28 



7^ 



da;. 



E 

j=0 



2s 



< 



eSi/2 8' 



Furthermore, for Sj < 28 (there are at most 5 of them, since Sj+i < ,s.j/2 and s„ > 1), the 
probability that A\r\ B"^ n {n^+i + 1, . . . , nj} contains more than 40si elements is at most 1/40, 
by Markov's inequality. 



The probability that there exists an i,0 < i < u such that 

1^1 n n {rij+i, . . . ,ni}\ > max{40si, -^r^} 

is therefore at most | + = |- If this happens, we say that Ai H B has a "bad structure" for 
finding all its elements by Eve. 

It is sufficient for Eve to repeat Bob's algorithm (log 80 + 31ogSj)a/sj < 5a times to get all 
elements in f] B f] {n^+i, . . . , nj}, i > u' , assuming that there are no more than 40sj of them, 
with probability at least 1 — 

In other words, with 5a independent iterations of Bob's strategy, Eve does not query at least 
one element of well-structured AiCi BCi {n^ + 1, . . . , n} = n with probability 



Pr J] xe{x) = 0\Ca 

xe{nu+l,.--,n}nAinB 
u-1 



1 1 

i=0 « 



1 ^ 1 ^ 1 r°° dx _ 1 
2'5^ 2 J^—g^ x"^ 2su 2 



i=0 



Since n ;S C {n^ + 1, . . . , n} with probability at most ^, and n S is ill-structured with 
probability at most \, Ai Ci B Q {n„ + 1, . . . ,n} and is well-structured with probability at least 
|. In this case Eve queries all intersection elements with probability at least ^ hence, Eve finds 
all intersection queries of Ai and B with probability at least | . □ 

Theorem 3.2. Eve can break an {a, b, e) -key -agreement protocol with 0{{a + 6)^) queries with 
constant probability. 

Proof. As we claim in the proof of Lemma 12.11 Eve querying all elements in n ;B needs at 
most 1^2! ^ CL queries more to generate the key that matches with Bob's secret key with the 
same probability as Alice's key does. Lemma l3.ll shows that Eve can always query all elements 
in ^1 n i3 with probability 1/8 with at most 5a6 queries. Therefore, Eve can break the protocol 
with constant probability with 5a6 + a G 0((a + 6)^) oracle queries. □ 



4 Optimality of the Bound 

Consider the following protocol: 
Protocol 2 

1. Alice chooses a set ^ C {1, . . . , n}, |^| = a = \\/n] uniformly at random, queries the oracle 
for the elements of A, and sends ca = {f{x) : x G ^4} to Bob. 

2. Bob chooses a set B C {1, . . . ,n}, \B\ = b = \y/n\ uniformly at random, queries the elements 
of B, chooses a collision element k £ {f{y) ■ y £ B} H ca at random, and sends cb = {f{k)} 
to Alice. He outputs the key k. 

3. Alice recognizes k according to cb and A, and outputs the key k. 



Attack: With a constant probability. Bob finds at least one collision with Alice's set of queries 
due to the birthday paradox, and therefore, the given protocol is an example of {^/n, \/n, e)-key- 
agreement protocol for some constant e < 1. Given just c, the secret key is uniformly distributed in 



{1, . . . , n} and furthermore, since the oracle is random, Eve knowing the oracle image for only o(n) 
elements still has (1 — o(l)) log n entropy about f{x) for x ^ £. Hence, Eve has to query the oracle 
in ©(n) positions to get the right secret key with constant probability, implying that the optimal 
Eve's strategy to break the protocol with constant probability must involve 0(n) = 0((a + 6)^) 
oracle queries. 

5 Conclusion 

We provided an analysis of the most commonly considered attack of these type of key-agreement 
protocols where the attacker iterates the players' strategies with gradually updated information 
in the case of one-round protocols. Originally, we were hoping to generalize the result to apply in 
the multi-round scenario, which has been done very recently by Barak and Mahmoody-Ghidary. 
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